cross-implementation test suite was relicensed to 3-clause BSD

[gnutls:gnutls.git] / tests / suite / testcompat-main-openssl

#!/bin/sh

# Copyright (c) 2010-2015, Free Software Foundation, Inc.
# Copyright (c) 2012-2015, Nikos Mavrogiannopoulos
# All rights reserved.
#
# Author: Nikos Mavrogiannopoulos
#
# This file is part of GnuTLS.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this 
# list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright notice, 
# this list of conditions and the following disclaimer in the documentation and/or
# other materials provided with the distribution.
# 3. Neither the name of the copyright holder nor the names of its contributors may
# be used to endorse or promote products derived from this software without specific
# prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

srcdir="${srcdir:-.}"
CLI="${CLI:-../../src/gnutls-cli$EXEEXT}"
unset RETCODE
if ! test -z "${VALGRIND}";then
VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
fi

if test "${WINDIR}" != "";then
  exit 77
fi 

. $srcdir/../scripts/common.sh

PORT="${PORT:-$RPORT}"

SERV=openssl
OPENSSL_CLI="openssl"

echo "Compatibility checks using "`$SERV version`
$SERV version|grep -e 1\.0 >/dev/null 2>&1
SV=$?
if test $SV != 0;then
  echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests"
  exit 77
fi

$SERV version|grep -e 1\.0\.1 >/dev/null 2>&1
SV2=$?

. ./testcompat-common

echo "#################################################"
echo "# Client mode tests (gnutls cli-openssl server) #"
echo "#################################################"

for ADD in "" ":%COMPAT" ":%NO_ETM" ":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION"
do

if ! test -z "$ADD";then
echo ""
echo "** Modifier: $ADD"
fi

if test 0 = 1;then

# It seems debian disabled SSL 3.0 completely on openssl

launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -ssl3 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
wait_server $PID

# Test SSL 3.0 with RSA ciphersuite
echo "Checking SSL 3.0 with RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

# Test SSL 3.0 with DHE-RSA ciphersuite
echo "Checking SSL 3.0 with DHE-RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

# Test SSL 3.0 with DHE-DSS ciphersuite
echo "Checking SSL 3.0 with DHE-DSS..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

fi

if test "$FIPS" != 1;then
#-cipher RSA-NULL
launch_bare_server $$ s_server -cipher NULL-SHA -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
wait_server $PID

# Test TLS 1.0 with RSA-NULL ciphersuite
echo "Checking TLS 1.0 with RSA-NULL..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait
fi

#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA 
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
wait_server $PID

# Test TLS 1.0 with RSA ciphersuite
echo "Checking TLS 1.0 with RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

# Test TLS 1.0 with DHE-RSA ciphersuite
echo "Checking TLS 1.0 with DHE-RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

# Test TLS 1.0 with DHE-RSA ciphersuite
echo "Checking TLS 1.0 with ECDHE-RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

# Test TLS 1.0 with DHE-DSS ciphersuite
echo "Checking TLS 1.0 with DHE-DSS..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

if test "$FIPS" != 1;then

#-cipher ECDHE-ECDSA-AES128-SHA
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -key $ECC224_KEY -cert $ECC224_CERT -Verify 1 -named_curve secp224r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID

# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP224R1)..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

fi

#-cipher ECDHE-ECDSA-AES128-SHA
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -key $ECC384_KEY -cert $ECC384_CERT -Verify 1 -named_curve secp384r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID

# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

if test "$FIPS" != 1;then
#-cipher ECDHE-ECDSA-AES128-SHA
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1 -key $ECC521_KEY -cert $ECC521_CERT -Verify 1 -named_curve secp521r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID

# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
echo "Checking TLS 1.0 with ECDHE-ECDSA (SECP521R1)..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

fi

#-cipher PSK
launch_bare_server $$ s_server -quiet -www -accept $PORT -tls1 -keyform pem -certform pem -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db &
PID=$!
wait_server $PID

echo "Checking TLS 1.0 with PSK..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK$ADD" --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db --insecure </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

if test $SV2 = 0;then
# Tests requiring openssl 1.0.1 - TLS 1.2
#-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA 
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1_2 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
wait_server $PID

echo "Checking TLS 1.2 with RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

echo "Checking TLS 1.2 with DHE-RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

echo "Checking TLS 1.2 with ECDHE-RSA..."
$CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

echo "Checking TLS 1.2 with DHE-DSS..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS$ADD" --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

if test "$FIPS" != 1;then
#-cipher ECDHE-ECDSA-AES128-SHA
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1_2 -key $ECC224_KEY -cert $ECC224_CERT -Verify 1 -named_curve secp224r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID

echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP224R1)"
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait
fi

#-cipher ECDHE-ECDSA-AES128-SHA
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1_2 -key $ECC384_KEY -cert $ECC384_CERT -Verify 1 -named_curve secp384r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID

echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP384R1)"
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

if test "$FIPS" != 1;then
#-cipher ECDHE-ECDSA-AES128-SHA
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem -certform pem -tls1_2 -key $ECC521_KEY -cert $ECC521_CERT -Verify 1 -named_curve secp521r1 -CAfile $CA_ECC_CERT &
PID=$!
wait_server $PID

echo "Checking TLS 1.2 with ECDHE-ECDSA... (SECP521R1)"
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --insecure --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait
fi #FIPS

fi #SV2

#-cipher PSK
launch_bare_server $$ s_server -quiet -www -accept $PORT -tls1_2 -keyform pem -certform pem  -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db &
PID=$!
wait_server $PID

echo "Checking TLS 1.2 with PSK..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL$ADD" --insecure --pskusername Client_identity --pskkey 9e32cf7786321a828ef7668f09fb35db </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

launch_bare_server $$ s_server -quiet -accept $PORT -keyform pem -certform pem -dtls1 -timeout -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
wait_server $PID

# Test DTLS 1.0 with RSA ciphersuite
echo "Checking DTLS 1.0 with RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA$ADD" --udp --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

launch_bare_server $$ s_server -quiet -accept $PORT -keyform pem -certform pem -dtls1 -timeout -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
wait_server $PID

# Test DTLS 1.0 with DHE-RSA ciphersuite
echo "Checking DTLS 1.0 with DHE-RSA..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA$ADD" --udp --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

launch_bare_server $$ s_server -quiet -accept $PORT -keyform pem -certform pem -dtls1 -timeout -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
wait_server $PID

# Test DTLS 1.0 with DHE-DSS ciphersuite
echo "Checking DTLS 1.0 with DHE-DSS..."
$VALGRIND $CLI $DEBUG -p $PORT 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS$ADD" --udp --insecure --x509certfile $CLI_CERT --x509keyfile $CLI_KEY </dev/null >/dev/null || \
  fail $PID "Failed"

kill $PID
wait

done

echo "Client mode tests were successfully completed"
echo ""
echo "###############################################"
echo "# Server mode tests (gnutls server-openssl cli#"
echo "###############################################"
SERV="../../src/gnutls-serv$EXEEXT -q"

# Note that openssl s_client does not return error code on failure

for ADD in "" ":%COMPAT" ":%NO_ETM" ":%NO_TICKETS" ":%DISABLE_SAFE_RENEGOTIATION"
do

if ! test -z "$ADD";then
echo ""
echo "** Modifier: $ADD"
fi

if test 0 = 1;then

echo "Check SSL 3.0 with RSA ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh  & PID=$!
wait_server $PID

$OPENSSL_CLI s_client  -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

echo "Check SSL 3.0 with DHE-RSA ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh  & PID=$!
wait_server $PID

$OPENSSL_CLI s_client  -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

echo "Check SSL 3.0 with DHE-DSS ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh  & PID=$!
wait_server $PID

$OPENSSL_CLI s_client  -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

fi

#TLS 1.0

# This test was disabled because it doesn't work as expected with openssl 1.0.0d
#echo "Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)"
#launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh & PID=$!
#wait_server $PID
#
#$OPENSSL_CLI s_client  -host localhost -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
#  fail $PID "Failed"
#
#kill $PID
#wait

if test "$FIPS" != 1;then
echo "Check TLS 1.0 with RSA-NULL ciphersuite"
launch_server $$  --priority "NONE:+NULL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh  & PID=$!
wait_server $PID

$OPENSSL_CLI s_client -cipher NULL-SHA -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait
fi

echo "Check TLS 1.0 with DHE-RSA ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh  & PID=$!
wait_server $PID

$OPENSSL_CLI s_client  -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

echo "Check TLS 1.0 with DHE-DSS ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh  & PID=$!
wait_server $PID

$OPENSSL_CLI s_client  -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

echo "Check TLS 1.0 with ECDHE-RSA ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-RSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

if test "$FIPS" != 1;then
echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP224R1)"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile $CA_ECC_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-ECDSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1 -port $PORT -cert $ECC224_CERT -key $ECC224_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait
fi

echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP256R1)"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile $CA_ECC_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-ECDSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1 -port $PORT -cert $ECC256_CERT -key $ECC256_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP384R1)"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile $CA_ECC_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-ECDSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1 -port $PORT -cert $ECC384_CERT -key $ECC384_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

if test "$FIPS" != 1;then
echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite (SECP521R1)"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile $CA_ECC_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-ECDSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1 -port $PORT -cert $ECC521_CERT -key $ECC521_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait
fi

echo "Check TLS 1.0 with PSK ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$!
wait_server $PID

#-cipher PSK-AES128-SHA 
$OPENSSL_CLI  s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port $PORT crt_file=$CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep ":error:" && \
  fail $PID "Failed"

kill $PID
wait

if test $SV2 = 0;then

echo "Check TLS 1.2 with DHE-RSA ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh  & PID=$!
wait_server $PID

$OPENSSL_CLI s_client  -host localhost -tls1_2 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

echo "Check TLS 1.2 with DHE-DSS ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS$ADD" --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh  & PID=$!
wait_server $PID

$OPENSSL_CLI s_client  -host localhost -tls1_2 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

echo "Check TLS 1.2 with ECDHE-RSA ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-ALL$ADD" --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-RSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1_2 -port $PORT -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

if test "$FIPS" != 1;then
echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP224R1)"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC224_CERT --x509keyfile $ECC224_KEY --x509cafile $CA_ECC_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-ECDSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1_2 -port $PORT -cert $ECC224_CERT -key $ECC224_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait
fi

echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP256R1)"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC256_CERT --x509keyfile $ECC256_KEY --x509cafile $CA_ECC_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-ECDSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1_2 -port $PORT -cert $ECC256_CERT -key $ECC256_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP384R1)"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC384_CERT --x509keyfile $ECC384_KEY --x509cafile $CA_ECC_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-ECDSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1_2 -port $PORT -cert $ECC384_CERT -key $ECC384_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

if test "$FIPS" != 1;then
echo "Check TLS 1.2 with ECDHE-ECDSA ciphersuite (SECP521R1)"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+ECDHE-ECDSA:+CURVE-ALL$ADD" --x509certfile $ECC521_CERT --x509keyfile $ECC521_KEY --x509cafile $CA_ECC_CERT & PID=$!
wait_server $PID

#-cipher ECDHE-ECDSA-AES128-SHA 
$OPENSSL_CLI s_client  -host localhost -tls1_2 -port $PORT -cert $ECC521_CERT -key $ECC521_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait
fi

echo "Check TLS 1.2 with PSK ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+PSK:+CURVE-ALL$ADD" --pskpasswd $SERV_PSK --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT & PID=$!
wait_server $PID

#-cipher PSK-AES128-SHA 
$OPENSSL_CLI  s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1_2 -port $PORT crt_file=$CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep ":error:" && \
  fail $PID "Failed"

kill $PID
wait

fi #SV2

# DTLS
echo "Check DTLS 1.0 with RSA ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA$ADD" --udp --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh  & PID=$!
wait_server $PID


$OPENSSL_CLI s_client  -host localhost -port $PORT -dtls1 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait


echo "Check DTLS 1.0 with DHE-RSA ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-RSA$ADD" --udp --x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT --dhparams params.dh  & PID=$!
wait_server $PID



$OPENSSL_CLI s_client  -host localhost -port $PORT -dtls1 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait


echo "Check DTLS 1.0 with DHE-DSS ciphersuite"
launch_server $$  --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+DHE-DSS$ADD" --udp --x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh  & PID=$!
wait_server $PID


$OPENSSL_CLI s_client  -host localhost -port $PORT -dtls1 -cert $CLI_CERT -key $CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
  fail $PID "Failed"

kill $PID
wait

done

exit 0